Phil Agcaoili, profile picture
Uploaded byPhil Agcaoili
PPTX, PDF1,961 views

CSO Magazine Confab 2013 Atlanta - Cyber Security

The document discusses cybersecurity trends and the US government's efforts to define and secure critical infrastructure. It begins by defining critical infrastructure sectors and noting the increase in cyber attacks over the last decade. It then discusses an executive order and presidential policy directive that aim to improve information sharing, develop a cybersecurity framework, and define roles for securing critical infrastructure. The document provides summaries of cybersecurity reports and trends to support taking a risk-based, evidence-driven approach to cybersecurity.

Embed presentation

Downloaded 114 times
The Executive Order – Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013
2 Cyber what? Defining Cyber • Cyber space is the connected Internet ecosystem • Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyber space • DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National Monuments Nuclear Reactors, Materials and Icons and Waste Postal and Transportation Water Shipping Systems • Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy • Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
3 Our physical infrastructure has become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
4
5 Why the fear? Cyber Trends - Advanced • StuxNet • Duqu • Gauss • Mahdi • Flame • Wiper • Shamoon - Saudi Aramco • SCADA Network Attacks Advanced attacks on critical infrastructure
6 Cyber Trends – Not So Advanced • Insulin pumps • Pace makers • Smart TVs • Voting and elections • US drone fleet • SYMC – RSA – VRSN – Bit9 • SNE – AMZN – AAPL – YHOO – LNKD • DoE
7 General Observations on Cyber Trends • Phishing and Email • Exploitable Links and Browsers • Java, Flash, PDF, MS Office • A/V Coverage • Android, iOS, Windows, and MacOS • Air Gaps and Removable Media • Endpoint Security • Security Awareness • Security Basics
8 A SHIFT It’s here…
9 Expectations on Critical Infrastructure • S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013 Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI), Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE) • H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors It’s unlikely that these will pass in 2013…
10 Fact Sheet: Executive Order on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience Presidential Executive Order 13,636 • New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies • The development of a Cybersecurity Framework • Establishes a voluntary program to promote the adoption of the Framework • Calls for a review of existing cybersecurity regulation • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles Presidential Policy Directive 21 (PPD-21) • Directs the government to identify the functional relationships across the government • Directs the government to develop an efficient situational awareness capability • Directs the government to address other information sharing priorities • Calls for a comprehensive research and development plan for critical infrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
11 Highlights of “Down Payment” February 12, 2013 Executive Order • EO 13636 and PPD-21 Issued February 12, 2013 • Defines Roadmap 240 Days • Focus Areas for CIKR: October 10 Draft of • Information Sharing US Cybersecurity • US Cybersecurity Framework Framework • Standards • Identifying Critical Infrastructure 1 Year • Supply Chain February 12, • Sector-Specific Agencies and Sector Coordinating Councils 2014 Final US • FBI and NCIJTF Cybersecurity Framework 3 Year “Safe and Resilient Internet” Agencies report on critical infrastructure
12 Highlights of “Down Payment” • “Don’t assume you’re not in scope” • "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology • Privacy concerns need to be addressed for “information sharing” • Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework • Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices to the fullest extent possible.” • Federal Supply Chain • Partnerships and mandates • Open standards • “Technology neutral” • Risk-based assessments
13
14 Keys to Cyber Security: Information Sharing 1. Balance with Privacy One Size Does Not Fit All… 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Don’t assume you’re not in scope (Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyone’s Responsibility.
15 Don’t Assume You’re Not in Scope • Everyone with Information Technology is in scope (CIKR) • Security Basics • Apply Evidence-based Security Model • Statistics by Sector Exist • Should Threat Model Think Ecosystem.
16 Threat Model Your Role in the Cyber Space Ecosystem
17 Get the Point?
18 2012 Top 20 ISO 27001 Mitigating Controls What standard are Number of Times Control Mapped Ranking 1 Control A.10.9.1 to a Real-World Security Breach 447 What Framework? you following? 2 3 A.10.9.2 A.10.9.3 447 447 Point Security Standards / Controls 4 A.8.2.2 184 5 A.7.2.1 94 • PCI DSS 6 A.7.2.2 94 • Protects credit cards 7 A.8.1.1 90 • 12 Requirements (Domains) 8 A.8.1.2 90 • ~290 controls 9 A.8.1.3 90 • HIPAA / HITECH 10 A.8.2.1 90 • Protects health information 11 A.8.3.2 90 • NERC CIP 12 A.8.3.3 90 • CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.1 87 Certification Framework 15 A.11.7.2 87 • SANS 20 Critical Security Controls / 16 A.9.1.1 50 CAG 17 A.9.1.2 50 • “International” security standards 18 A.9.2.1 50 • 20 controls (Domains) 19 A.10.8.4 16 • Mapped to ~150 20 A.10.8.3 15 NIST 800-53 controls *Based on datalossdb.org and Privacy Rights Clearinghouse Holistic Security Standard Frameworks • ISO/IEC 27001:2005 • International security standards • 11 Domains Consensus Audit Guidelines (CAG) • 133 controls Hardware asset management • FISMA • Software white listing and asset • Includes NIST 800-53 management • Vulnerability management • US government standard • Configuration settings • 22 Control Families (Domains) • Anti-virus • ~ 850 controls *Modified SANS 20 Critical Security Controls 2012 • COBIT 5 continuous monitoring policy issued by DHS
19 Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortress You cannot protect all your data You cannot stop every attack Therefore, • Don’t protect everything • Protect most important data and ensure services • Increase focus on closing the detection and response gap • Establish access norms and monitor for anomalies • Reduce your attack surface • Don’t store/transmit what you don’t need • Collapse to cores • Segregrate and protect your most critical data • Protect cores really, really well • Treat all endpoints as hostile • Make small, targeted investments • Pass the Red Face Test – Reduce Investments through integration • Antivirus - Forefront • Full Disk Encryption – Bitlocker Sector-based • Patch and harden configurations • Change default credentials and restrict/monitor privileged accounts • Secure development through application testing and code reviews • Increase awareness and change culture • Social engineering and phishing • Destroy and don’t save what you don’t need • Collect your own metrics and apply security as necessary with available industry evidence
20 Barriers to Implement Basics • 2012 FISMA Report The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Define – Accountability (Vendors and Customers) • Customers are dependent on vendors • Vendors rely on customers
Traditional Security is Insufficient Advanced Empowered Elastic Persistent Threats Employees Perimeter Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware! Copyright 2012 Trend Micro Inc.
22 Risk-Based Approach Using Evidence The REAL Big Data for Infosec
23 First, Define Risk • Partnership for Critical Infrastructure Security (PCIS) • Defined: Risk = Consequence (Impact ONLY!!!) NO!!! • General Risk Equation Risk = Probability x Impact • Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss • Many other definitions, let’s pick… • Limitations of risk analysis • Risk analysis is never perfect • All risk analysis models are approximations of reality • Reality is far too complex to ever model exactly • Any analysis model will be limited • Sometimes you have enough information to make an informed decision ~SIRA Prediction is very difficult, • Define: Risk Appetite especially about the future. ~Niels Bohr
24 Second, Apply Evidence-Based Security *Abridged Version of Moneysec • Use industry data (Evidence) • “You’re not a beautiful snowflake.” • Use with [Moneysec] metrics ~JPfost • Don’t make emotional decisions • Recognize your bias • Collect the “right” data • Look for correlations • Set reasonable criteria for success • Don’t overspend • You can measure anything! Even intangibles. ~Douglas Hubbard • You don’t always need to be exact • Reducing uncertainty adds value • Having just some data can go a long way to help a decision maker • Not all measures are equally important (80/20) • Track and trend performance over time • Benchmark performance vs. self (and peers) • All metrics are worthless – unless you do something with them
25 Mandiant M-Trends 2013 Threat Report
26 Mandiant M-Trends 2013 Threat Report
27 2012 Verizon Data Breach Investigations Report (DBIR) • 5th year of public releases – Starting in 2008 – 7 total reports (mid-year supplementals in 2008 and 2009) • Dataset now contains: – 8 years of data
28 2012 Verizon Data Breach Investigations Report (DBIR) 2012 Trustwave Global Security Report In those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
29 2012 Verizon Data Breach Investigations Report (DBIR)
30 Trend - 2011 Verizon Data Breach Investigations Report (DBIR)
31 Trend - 2011 Verizon Data Breach Investigations Report (DBIR) • Eastern Europe takes a commanding lead Who are the (external) bad guys?
32 2012 Federal Information Security Management Act report • Over $13 Billion Spent on Personnel • Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel • An increase from 76% in 2011 • Cybersecurity Education Down • Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011 • A Challenging Year The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Top Three Government Cybersecurity Spenders The organizations who spent the most in 2012 were: - Department of Defense: $12 billion - Department of Homeland Security: $615.5 million - Treasury Department: $404 million • Security Incidents on the Rise • 49,000 security incidents were reported in 2012, up from 43,889 in 2011 • Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access • 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks • A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks • This recent surge in cyberattacks on government systems is the new normal • However, the amount of successful attacks can and will decrease when agencies invest in security automation IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
33 Connecting the Dots Information Leakage • Ex-employees, partners, and customers • Over 1/3 due to negligence • Increasing loss from external collaboration Ponemon Study finds: 55% of SMBs were breached in 2012 Percentage cause of data breach Estimated sources of data breach 2010 CSO Cost of Data Breach report Global State of Information Security Survey Ponemon Institute 2010
Connecting the Dots VERIS: (Vocabulary for Event Recording and Incident Sharing) What How Who Why When 2012 Trustwave GSR 2013 Mandiant TR 2012 Verizon DBIR
35 Third, Add Threat Modeling Supports Risk Model Cyber Kill Chain Model • Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence • An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control • Just one mitigation disrupts the chain and the adversary
36 Threat Modeling - Countermeasures • Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control
37 Bring it All Together - Trends in the Evidence Motivating Fix what’s broken Event • Hacks and compromise • Fix what’s already been hacked at your company • Utilize Cyber Kill Chain Model to focus defense in depth strategy • Understand security trends for your industry • Small and Medium Business beware • Banks – DDOS, fraud, botnets, and web authentication attacks • Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts • DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing • News – NYT/WSJ - phishing, Oracle Java 0days • Retail – Open Wifi, POS • LEA – 0day, social engineering and phishing • Credit card processors – Phishing and egress traffic • Websites – SNE (SQL Injection) and exclusion from core security • Know your threat landscape to prioritize your treatment strategy based on risk • In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones Somebody needs to thoroughly analyze the important industry data by sector. KNOW THE BIAS!!! Adjust from there.
38 Crawl, Walk, and then Run… • Agree on definitions at each step of this process • Agree on roles in cyber space ecosystem • Need to develop better understanding • Cyber effect on way of life, economic vitality, and national security • Top threats by sector • Attackers/Adversaries by sector • Evidence of risks by sector • Agree on countermeasures / controls
39 Inspiration • I’m my father’s son… • It’s our time. • <Video> https://www.youtube.com/watch?feature=player_embedde d&v=Z2PloBdHeow
40 Conclusion • The time is now for cyber security • Agree on definitions as we proceed to each step • Security is Everyone’s Responsibility • Think Risk • Use the evidence we have • There is a lot industry data that needs to be analyzed • Proceed with care, methodically, and by sector • Agree on the basics • Get it done. We can do it. Cyber Space Ecosystem
41 Questions & Answers Phil Agcaoili CISO, Cox Communications, Inc. Co-Chair, Communication Sector Coordinating Council (CSCC), Cybersecurity Committee – Technology Sub-Committee Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

More Related Content

DOCX
Cyber defence sebagai garda terdepan ketahanan nasional
byEdi Suryadi
 
PDF
Hakin9 interview w Prof Sood
byZsolt Nemeth
 
PPTX
Models of Escalation and De-escalation in Cyber Conflict
byZsolt Nemeth
 
PPTX
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
PPTX
Security assessment for financial institutions
byZsolt Nemeth
 
PDF
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
byDinesh O Bareja
 
PDF
Industrial Control Security USA Sacramento California Oct 6/7
byJames Nesbitt
 
PDF
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
byCharles "Chuck" Speicher Jr.
 
Cyber defence sebagai garda terdepan ketahanan nasional
byEdi Suryadi
 
Hakin9 interview w Prof Sood
byZsolt Nemeth
 
Models of Escalation and De-escalation in Cyber Conflict
byZsolt Nemeth
 
Ncma saguaro cyber security 2016 law &amp; regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Security assessment for financial institutions
byZsolt Nemeth
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
byDinesh O Bareja
 
Industrial Control Security USA Sacramento California Oct 6/7
byJames Nesbitt
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
byCharles "Chuck" Speicher Jr.
 

What's hot

PDF
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
PPTX
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
byPositive Hack Days
 
PPTX
Need for Improved Critical Industrial Infrastructure Protection
byWilliam McBorrough
 
PDF
Combating cyber crimes chinatu
byChinatu Uzuegbu
 
PDF
David Snead - Nailing Down Security Regulations
bySource Conference
 
PPT
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
byZsolt Nemeth
 
PDF
Lessons learned from the SingHealth Data Breach COI Report
byBenjamin Ang
 
PDF
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
byCybersecurity Education and Research Centre
 
PDF
2015 Global Threat Intelligence Report Executive Summary | NTT i3
byNTT Innovation Institute Inc.
 
PDF
National Cyber Security Policy 2013 (NCSP)
byGopal Choudhary
 
PDF
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
byijtsrd
 
PPTX
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
byCapitolTechU
 
PDF
Cybersecurity for Critical National Information Infrastructure
byDr David Probert
 
PDF
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
byDinesh O Bareja
 
PPTX
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
byWCIT 2014
 
PDF
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
byMinh Le
 
PDF
SMi Group's Oil and Gas Cyber Security North America
byDale Butler
 
PDF
Critical Infrastructure and Cyber Security: trends and challenges
byCommunity Protection Forum
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
byAndris Soroka
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
byPositive Hack Days
 
Need for Improved Critical Industrial Infrastructure Protection
byWilliam McBorrough
 
Combating cyber crimes chinatu
byChinatu Uzuegbu
 
David Snead - Nailing Down Security Regulations
bySource Conference
 
The Realities and Challenges of Cyber Crime and Cyber Security in Africa
byZsolt Nemeth
 
Lessons learned from the SingHealth Data Breach COI Report
byBenjamin Ang
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
byCybersecurity Education and Research Centre
 
2015 Global Threat Intelligence Report Executive Summary | NTT i3
byNTT Innovation Institute Inc.
 
National Cyber Security Policy 2013 (NCSP)
byGopal Choudhary
 
An Analytical Study on Attacks and Threats in Cyber Security and its Evolving...
byijtsrd
 
Capitol Tech Talk Feb 17 2022 Cybersecurity Challenges in Financial Sector
byCapitolTechU
 
Cybersecurity for Critical National Information Infrastructure
byDr David Probert
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
byDinesh O Bareja
 
WCIT 2014 Som Mittal - Managing risks in an interdependent economy risks rela...
byWCIT 2014
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
byMinh Le
 
SMi Group's Oil and Gas Cyber Security North America
byDale Butler
 
Critical Infrastructure and Cyber Security: trends and challenges
byCommunity Protection Forum
 

Similar to CSO Magazine Confab 2013 Atlanta - Cyber Security

PDF
Advanced Solutions for Critical Infrastructure Protection
byEntrust Datacard
 
PPT
Cybersecurity R&D briefing
byNaba Barkakati
 
PPTX
Event: George Washington University -- National Security Threat Convergence: ...
byChuck Brooks
 
PDF
Dhs cybersecurity-roadmap
byAjay Ohri
 
PPT
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
PPT
A Network of Networks
byGovernment Technology Exhibition and Conference
 
PDF
Cyber security of critical infrastructure
byNIRAJSINGH339856
 
PPTX
ppt_cyber.pptx
byNIRAJSINGH339856
 
PDF
Comprehensive U.S. Cyber Framework Final Report
byLandon Harrell
 
PDF
Internet safety and security strategies for building an internet safety wall
byCommonwealth Telecommunications Organisation
 
ODP
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
byTEO LT, AB
 
PPTX
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
PDF
Cybersecurity Issues and Challenges
byTam Nguyen
 
PDF
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
byAsad Zaman
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
PPTX
Cyber Security: Threats and Needed Actions
byJohn Gilligan
 
PDF
Cyber Security Lecture at Rah Rah 7
byFilip Maertens
 
PDF
The Physical Security_&_Risk_Management_book
byJAMES E. McDONALD, PSNA
 
PDF
Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
byCandice Tang
 
PDF
Asymmetric threat 5_paper
byMarioEliseo3
 
Advanced Solutions for Critical Infrastructure Protection
byEntrust Datacard
 
Cybersecurity R&D briefing
byNaba Barkakati
 
Event: George Washington University -- National Security Threat Convergence: ...
byChuck Brooks
 
Dhs cybersecurity-roadmap
byAjay Ohri
 
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
A Network of Networks
byGovernment Technology Exhibition and Conference
 
Cyber security of critical infrastructure
byNIRAJSINGH339856
 
ppt_cyber.pptx
byNIRAJSINGH339856
 
Comprehensive U.S. Cyber Framework Final Report
byLandon Harrell
 
Internet safety and security strategies for building an internet safety wall
byCommonwealth Telecommunications Organisation
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
byTEO LT, AB
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
byTripwire
 
Cybersecurity Issues and Challenges
byTam Nguyen
 
ZamanAsad_INFA 670_9041_RPAPER_Cybersecurity-3
byAsad Zaman
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
Cyber Security: Threats and Needed Actions
byJohn Gilligan
 
Cyber Security Lecture at Rah Rah 7
byFilip Maertens
 
The Physical Security_&_Risk_Management_book
byJAMES E. McDONALD, PSNA
 
Cto ciip-gaborone workshop-presentation-final-18-mar-2015.compressed
byCandice Tang
 
Asymmetric threat 5_paper
byMarioEliseo3
 

More from Phil Agcaoili

PDF
Cybersecurity Market 2020 - Bring the Noise
byPhil Agcaoili
 
PPTX
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
byPhil Agcaoili
 
PPTX
2016 ISSA Conference Threat Intelligence Keynote philA
byPhil Agcaoili
 
PPTX
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
PPTX
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
byPhil Agcaoili
 
PPTX
2015 KSU So You Want To Be in Cyber Security
byPhil Agcaoili
 
PPTX
OWASP Knoxville Inaugural Chapter Meeting
byPhil Agcaoili
 
PPTX
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
PDF
Intel Presentation from NIST Cybersecurity Framework Workshop 6
byPhil Agcaoili
 
PPTX
Data Breaches. Are you next? What does the data say?
byPhil Agcaoili
 
PDF
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
byPhil Agcaoili
 
PPTX
2014 - KSU - So You Want to Be in Cyber Security?
byPhil Agcaoili
 
PPTX
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
byPhil Agcaoili
 
PPT
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
PPT
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
PPTX
Southern Risk Council - Cybersecurity Update 10-9-13
byPhil Agcaoili
 
PPTX
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
byPhil Agcaoili
 
PPTX
Moneysec - Moneyball for Security
byPhil Agcaoili
 
PPT
IAPP Atlanta Chapter Meeting 2013 February
byPhil Agcaoili
 
PPTX
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
byPhil Agcaoili
 
Cybersecurity Market 2020 - Bring the Noise
byPhil Agcaoili
 
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
byPhil Agcaoili
 
2016 ISSA Conference Threat Intelligence Keynote philA
byPhil Agcaoili
 
CSA Atlanta Q1'2016 Chapter Meeting
byPhil Agcaoili
 
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
byPhil Agcaoili
 
2015 KSU So You Want To Be in Cyber Security
byPhil Agcaoili
 
OWASP Knoxville Inaugural Chapter Meeting
byPhil Agcaoili
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
byPhil Agcaoili
 
Data Breaches. Are you next? What does the data say?
byPhil Agcaoili
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
byPhil Agcaoili
 
2014 - KSU - So You Want to Be in Cyber Security?
byPhil Agcaoili
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
byPhil Agcaoili
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
Southern Risk Council - Cybersecurity Update 10-9-13
byPhil Agcaoili
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
byPhil Agcaoili
 
Moneysec - Moneyball for Security
byPhil Agcaoili
 
IAPP Atlanta Chapter Meeting 2013 February
byPhil Agcaoili
 
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
byPhil Agcaoili
 

CSO Magazine Confab 2013 Atlanta - Cyber Security

  • 1.
    The Executive Order– Defining the Internet Security Ecosystem Phil Agcaoili April 2, 2013
  • 2.
    2 Cyber what? DefiningCyber • Cyber space is the connected Internet ecosystem • Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyber space • DHS defined 18 Critical Infrastructure Sectors (CIKR) Food and Agriculture Banking and Finance Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Healthcare and Public Health Information Technology National Monuments Nuclear Reactors, Materials and Icons and Waste Postal and Transportation Water Shipping Systems • Cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy • Cyber security is protecting our cyber space (critical infrastructure) from attack, damage, misuse, and economic espionage
  • 3.
    3 Our physical infrastructurehas become intertwined and reliant on our cyber infrastructure Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure
  • 4.
  • 5.
    5 Why the fear?Cyber Trends - Advanced • StuxNet • Duqu • Gauss • Mahdi • Flame • Wiper • Shamoon - Saudi Aramco • SCADA Network Attacks Advanced attacks on critical infrastructure
  • 6.
    6 Cyber Trends –Not So Advanced • Insulin pumps • Pace makers • Smart TVs • Voting and elections • US drone fleet • SYMC – RSA – VRSN – Bit9 • SNE – AMZN – AAPL – YHOO – LNKD • DoE
  • 7.
    7 General Observations onCyber Trends • Phishing and Email • Exploitable Links and Browsers • Java, Flash, PDF, MS Office • A/V Coverage • Android, iOS, Windows, and MacOS • Air Gaps and Removable Media • Endpoint Security • Security Awareness • Security Basics
  • 8.
  • 9.
    9 Expectations on CriticalInfrastructure • S. 21, Cybersecurity and American Cyber Competitiveness Act of 2013 Senators Rockefeller (D-W.Va.), Carper (D-DE), Feinstein (D-CA), Levin (D-MI), Mikulski (D-MD), Whitehouse (D-RI), and Coons (D-DE) • H.R. 624, Cyber Intelligence Sharing and Protection Act (CISPA), 2013 Representative Rogers (R-MI) and 111 co-sponsors It’s unlikely that these will pass in 2013…
  • 10.
    10 Fact Sheet: ExecutiveOrder on Cybersecurity / Presidential Policy Directive on Critical Infrastructure Security and Resilience Presidential Executive Order 13,636 • New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies • The development of a Cybersecurity Framework • Establishes a voluntary program to promote the adoption of the Framework • Calls for a review of existing cybersecurity regulation • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles Presidential Policy Directive 21 (PPD-21) • Directs the government to identify the functional relationships across the government • Directs the government to develop an efficient situational awareness capability • Directs the government to address other information sharing priorities • Calls for a comprehensive research and development plan for critical infrastructure http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
  • 11.
    11 Highlights of “DownPayment” February 12, 2013 Executive Order • EO 13636 and PPD-21 Issued February 12, 2013 • Defines Roadmap 240 Days • Focus Areas for CIKR: October 10 Draft of • Information Sharing US Cybersecurity • US Cybersecurity Framework Framework • Standards • Identifying Critical Infrastructure 1 Year • Supply Chain February 12, • Sector-Specific Agencies and Sector Coordinating Councils 2014 Final US • FBI and NCIJTF Cybersecurity Framework 3 Year “Safe and Resilient Internet” Agencies report on critical infrastructure
  • 12.
    12 Highlights of “DownPayment” • “Don’t assume you’re not in scope” • "Critical infrastructure" covers a lot of economic activity • Covers a lot of technology • Privacy concerns need to be addressed for “information sharing” • Department of Commerce, National Institutes of Standards and Technology (NIST), and Cybersecurity Framework • Reduce cyber risks to critical infrastructure within one year, • Incorporate “voluntary consensus standards and industry best practices to the fullest extent possible.” • Federal Supply Chain • Partnerships and mandates • Open standards • “Technology neutral” • Risk-based assessments
  • 13.
  • 14.
    14 Keys to Cyber Security: Information Sharing 1. Balance with Privacy One Size Does Not Fit All… 2. One step at a time Cybersecurity Framework 1. Common definitions 2. Don’t assume you’re not in scope (Think Ecosystem) 3. Sector specific, Risk-based Framework using Evidence with basic guidelines 5. Crawl, Walk, Run Supply Chain 1. Align with Cyber Framework 2. Provide Assurance Security is Everyone’s Responsibility.
  • 15.
    15 Don’t Assume You’reNot in Scope • Everyone with Information Technology is in scope (CIKR) • Security Basics • Apply Evidence-based Security Model • Statistics by Sector Exist • Should Threat Model Think Ecosystem.
  • 16.
    16 Threat Model Your Rolein the Cyber Space Ecosystem
  • 17.
  • 18.
    18 2012 Top 20 ISO 27001 Mitigating Controls What standard are Number of Times Control Mapped Ranking 1 Control A.10.9.1 to a Real-World Security Breach 447 What Framework? you following? 2 3 A.10.9.2 A.10.9.3 447 447 Point Security Standards / Controls 4 A.8.2.2 184 5 A.7.2.1 94 • PCI DSS 6 A.7.2.2 94 • Protects credit cards 7 A.8.1.1 90 • 12 Requirements (Domains) 8 A.8.1.2 90 • ~290 controls 9 A.8.1.3 90 • HIPAA / HITECH 10 A.8.2.1 90 • Protects health information 11 A.8.3.2 90 • NERC CIP 12 A.8.3.3 90 • CSA Cloud Controls Matrix / Open 13 A.9.2.5 87 14 A.11.7.1 87 Certification Framework 15 A.11.7.2 87 • SANS 20 Critical Security Controls / 16 A.9.1.1 50 CAG 17 A.9.1.2 50 • “International” security standards 18 A.9.2.1 50 • 20 controls (Domains) 19 A.10.8.4 16 • Mapped to ~150 20 A.10.8.3 15 NIST 800-53 controls *Based on datalossdb.org and Privacy Rights Clearinghouse Holistic Security Standard Frameworks • ISO/IEC 27001:2005 • International security standards • 11 Domains Consensus Audit Guidelines (CAG) • 133 controls Hardware asset management • FISMA • Software white listing and asset • Includes NIST 800-53 management • Vulnerability management • US government standard • Configuration settings • 22 Control Families (Domains) • Anti-virus • ~ 850 controls *Modified SANS 20 Critical Security Controls 2012 • COBIT 5 continuous monitoring policy issued by DHS
  • 19.
    19 Simplify to Basic Security Guidelines Based on Evidence and Risk We have developed the myth that technology can be an effective fortress You cannot protect all your data You cannot stop every attack Therefore, • Don’t protect everything • Protect most important data and ensure services • Increase focus on closing the detection and response gap • Establish access norms and monitor for anomalies • Reduce your attack surface • Don’t store/transmit what you don’t need • Collapse to cores • Segregrate and protect your most critical data • Protect cores really, really well • Treat all endpoints as hostile • Make small, targeted investments • Pass the Red Face Test – Reduce Investments through integration • Antivirus - Forefront • Full Disk Encryption – Bitlocker Sector-based • Patch and harden configurations • Change default credentials and restrict/monitor privileged accounts • Secure development through application testing and code reviews • Increase awareness and change culture • Social engineering and phishing • Destroy and don’t save what you don’t need • Collect your own metrics and apply security as necessary with available industry evidence
  • 20.
    20 Barriers to ImplementBasics • 2012 FISMA Report The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Define – Accountability (Vendors and Customers) • Customers are dependent on vendors • Vendors rely on customers
  • 21.
    Traditional Security is Insufficient Advanced Empowered Elastic Persistent Threats Employees Perimeter Trend Micro evaluations find over 90% of enterprise networks contain active malicious malware! Copyright 2012 Trend Micro Inc.
  • 22.
    22 Risk-Based Approach UsingEvidence The REAL Big Data for Infosec
  • 23.
    23 First, Define Risk •Partnership for Critical Infrastructure Security (PCIS) • Defined: Risk = Consequence (Impact ONLY!!!) NO!!! • General Risk Equation Risk = Probability x Impact • Factor Analysis of Information Risk (FAIR) Risk = The probable frequency and probable magnitude of future loss • Many other definitions, let’s pick… • Limitations of risk analysis • Risk analysis is never perfect • All risk analysis models are approximations of reality • Reality is far too complex to ever model exactly • Any analysis model will be limited • Sometimes you have enough information to make an informed decision ~SIRA Prediction is very difficult, • Define: Risk Appetite especially about the future. ~Niels Bohr
  • 24.
    24 Second, Apply Evidence-BasedSecurity *Abridged Version of Moneysec • Use industry data (Evidence) • “You’re not a beautiful snowflake.” • Use with [Moneysec] metrics ~JPfost • Don’t make emotional decisions • Recognize your bias • Collect the “right” data • Look for correlations • Set reasonable criteria for success • Don’t overspend • You can measure anything! Even intangibles. ~Douglas Hubbard • You don’t always need to be exact • Reducing uncertainty adds value • Having just some data can go a long way to help a decision maker • Not all measures are equally important (80/20) • Track and trend performance over time • Benchmark performance vs. self (and peers) • All metrics are worthless – unless you do something with them
  • 25.
  • 26.
  • 27.
    27 2012 Verizon Data Breach Investigations Report (DBIR) • 5th year of public releases – Starting in 2008 – 7 total reports (mid-year supplementals in 2008 and 2009) • Dataset now contains: – 8 years of data
  • 28.
    28 2012 Verizon DataBreach Investigations Report (DBIR) 2012 Trustwave Global Security Report In those cases in which an external entity was necessary for detection, analysis found that attackers had an average of 173.5 days within the victim’s environment before detection occurred. Conversely, organizations that relied on self-detection were able to identify attackers within their systems an average of 43 days after initial compromise.
  • 29.
    29 2012 Verizon DataBreach Investigations Report (DBIR)
  • 30.
    30 Trend - 2011Verizon Data Breach Investigations Report (DBIR)
  • 31.
    31 Trend - 2011Verizon Data Breach Investigations Report (DBIR) • Eastern Europe takes a commanding lead Who are the (external) bad guys?
  • 32.
    32 2012 Federal Information Security Management Act report • Over $13 Billion Spent on Personnel • Of the $14.6B spent on cybersecurity in 2012, a whopping 90% went to personnel • An increase from 76% in 2011 • Cybersecurity Education Down • Training only accounted for 0.9% of the total spent on cybersecurity, almost 2% lower than 2011 • A Challenging Year The top reported cybersecurity challenges were: - Funding the administration’s priority initiatives - Cultural challenges - Upgrading legacy technology - The current budget structure - Acquiring skilled personnel • Top Three Government Cybersecurity Spenders The organizations who spent the most in 2012 were: - Department of Defense: $12 billion - Department of Homeland Security: $615.5 million - Treasury Department: $404 million • Security Incidents on the Rise • 49,000 security incidents were reported in 2012, up from 43,889 in 2011 • Worth noting that the majority were the result of lost or stolen equipment and data, not unauthorized access • 2012 FISMA report reflects the major concerns we’ve recently heard in the media: • An increase in successful cyberattacks • A shortage of trained cybersecurity professionals; and • An IT infrastructure too weak to repel sophisticated attacks • This recent surge in cyberattacks on government systems is the new normal • However, the amount of successful attacks can and will decrease when agencies invest in security automation IT, which will decrease personnel costs, freeing the resources needed to properly invest in a fully trained cybersecurity workforce
  • 33.
    33 Connecting theDots Information Leakage • Ex-employees, partners, and customers • Over 1/3 due to negligence • Increasing loss from external collaboration Ponemon Study finds: 55% of SMBs were breached in 2012 Percentage cause of data breach Estimated sources of data breach 2010 CSO Cost of Data Breach report Global State of Information Security Survey Ponemon Institute 2010
  • 34.
    Connecting the Dots VERIS: (Vocabulary for Event Recording and Incident Sharing) What How Who Why When 2012 Trustwave GSR 2013 Mandiant TR 2012 Verizon DBIR
  • 35.
    35 Third, Add ThreatModeling Supports Risk Model Cyber Kill Chain Model • Intrusions must be studied from the adversary’s perspective – analyzing the “kill chain” to inform actionable security intelligence • An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control • Just one mitigation disrupts the chain and the adversary
  • 36.
    36 Threat Modeling -Countermeasures • Moving detection and mitigation to earlier phases of the kill chain is essential in defending today’s networks Command Actions on Recon Weapon Delivery Exploit Install and Objectives Control
  • 37.
    37 Bring it AllTogether - Trends in the Evidence Motivating Fix what’s broken Event • Hacks and compromise • Fix what’s already been hacked at your company • Utilize Cyber Kill Chain Model to focus defense in depth strategy • Understand security trends for your industry • Small and Medium Business beware • Banks – DDOS, fraud, botnets, and web authentication attacks • Hospitality – Credit cards, point of sale systems, Wifi, and admin accounts • DIB – RSA hack - Adobe/Microsoft 0days, remote access, and phishing • News – NYT/WSJ - phishing, Oracle Java 0days • Retail – Open Wifi, POS • LEA – 0day, social engineering and phishing • Credit card processors – Phishing and egress traffic • Websites – SNE (SQL Injection) and exclusion from core security • Know your threat landscape to prioritize your treatment strategy based on risk • In advertising, the best insights are often minor alterations in trends which occur over long periods of time (and take time to see due to their nuanced nature).~Neira Jones Somebody needs to thoroughly analyze the important industry data by sector. KNOW THE BIAS!!! Adjust from there.
  • 38.
    38 Crawl, Walk, andthen Run… • Agree on definitions at each step of this process • Agree on roles in cyber space ecosystem • Need to develop better understanding • Cyber effect on way of life, economic vitality, and national security • Top threats by sector • Attackers/Adversaries by sector • Evidence of risks by sector • Agree on countermeasures / controls
  • 39.
    39 Inspiration • I’m myfather’s son… • It’s our time. • <Video> https://www.youtube.com/watch?feature=player_embedde d&v=Z2PloBdHeow
  • 40.
    40 Conclusion • The timeis now for cyber security • Agree on definitions as we proceed to each step • Security is Everyone’s Responsibility • Think Risk • Use the evidence we have • There is a lot industry data that needs to be analyzed • Proceed with care, methodically, and by sector • Agree on the basics • Get it done. We can do it. Cyber Space Ecosystem
  • 41.
    41 Questions & Answers Phil Agcaoili CISO, Cox Communications, Inc. Co-Chair, Communication Sector Coordinating Council (CSCC), Cybersecurity Committee – Technology Sub-Committee Co-Founder & Board Member, Southern CISO Security Council Distinguished Fellow and Fellows Chairman, Ponemon Institute Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack, Security, Trust and Assurance Registry (STAR), and Open Certification Framework (OCF) @hacksec https://www.linkedin.com/in/philA

Editor's Notes

  • #2 Why it is the shiny object?Cyber is all about definitionsIt is much talked about, but little defined and very misunderstood
  • #4 DHS has provided:CIKR facility risk assessmentsData center risk assessmentsThese guidelines exist to connect physical and cyber securityEven PCI DSS and ISO/IEC 27001:2005 have physical security control requirements
  • #5 No companies will be harmed to deliver this presentation
  • #6 To understand the fear, let’s breakdown of some of the advanced attacks affecting a region of the worldIn rough chronological order:Stuxnet- Discovered in June 2010, Stuxnet is believed to be the first malware targeted specifically at critical infrastructure systems. - NYT reported this was part of a U.S.-Israeli operation &quot;Operation Olympic Games&quot; - Began during President George W. Bush’s time in office- An attempt to sabotage Iran&apos;s nuclear program- Designed to shut down centrifuges at Iran&apos;s Natanz uranium enrichment plantA sophisticated worm spread via USB drives And with 4 previously unknown, zero-day vulnerabilities in Windows- Used two stolen digital certificatesAimed directly at Siemens supervisory control and data acquisition (SCADA) systems Used to control industrial processes- Malware infected programmable logic controllers Duqu- The Duqu worm emerged in September 2011Researchers say it shared a lot of code with Stuxnet It hit computers in Iran but did not appear to be directed at industrial or critical infrastructures specificallyExploited zero-day Windows kernel vulnerabilitiesUsed stolen digital certificatesInstalled a backdoorCaptured keystrokes and information that could be used to attack industrial control systemsDesigned for a different purpose than Stuxnet--Stealing data for surveillance and intelligence gatheringResearchers believe Duqu was a cyberespionage operation to gauge the status of Iran&apos;s nuclear programGauss- Launched around September 2011 and discovered in June 2012Malware was found on computers mostly in Lebanon, Israel, and Palestine, followed by the U.S. and the United Arab EmiratesCapable of stealing browser passwords, online banking accounts, cookies, and system configurationsResearchers believe that Gauss comes from the same nation-state that produced Stuxnet, Duqu, and Flame Mahdi- Discovered in February 2012 and publicly disclosed in July 2012 Used for espionage since December 2011It’s a data stealing trojan Records keystrokes, screenshots, and audio and steals text and image filesInfected computers primarily in Iran, Israel, Afghanistan, the United Arab Emirates, and Saudi Arabia, Aimed at systems used by critical infrastructure companies, government embassies, and financial services firmsUsed social engineering to get people to click on attachments that have malicious Word or PowerPoint attachmentsUnknown who&apos;s responsible for the malware Flame- Discovered in May 2012 - Has been in the wild since December 2007 First hit Iranian Oil Ministry computers in April 2012Most of the infections were in Iran, but other countries hit were Israel, Sudan, Syria, Lebanon, Saudi Arabia, and EgyptSpread via USB stick, local network, or shared printer spool vulnerabilityUsed a fraudulent digital certificate Left a backdoor on computersSniffed network traffic and recorded audio, screenshots, Skype conversations, and keystrokesDownloaded information from other devices via BluetoothStole PDF, text, and AutoCAD filesDesigned for general espionage and intelligence gatheringNot targeted at any particular industryShares characteristics with Stuxnet and DuquAlso believed to have been developed as part of the Olympic Games project along with StuxnetWiper- Reported in April 2012 Shut down computer systems at companies in Iran, including the Oil MinistryWiped data from hard drivesDeleted all traces of itselfVery similar IOCs as Stuxnet and DuquThe discovery of Wiper led to the discovery of Flame, which led researchers to GaussPoint of origin is uncertainShamoon- Discovered August 2012Virus attacked Windows computers Designed for espionageInitially confused with Wiper but is believed to be a Wiper copycat targeting oil companiesCode of Shamoon points to the work of amateurs rather than a nation-state operationProgrammed to overwrite files with an image of a burning U.S. flag,Stole dataShamoon hit Saudi Aramco and shut down 30,000 workstationsLet’s call these advanced attacksLet’s call these nation-state sponsored operations or attacks
  • #7 So here’s why there is confusion…It’s the simple attacks / compromise that’s confusing.Adding on to the 2011 Insulin pump issue, which we agree was very simpleIn 2011, a computer virus infected the cockpits of America’s Predator and Reaper drones- A keylogger infected several computers the pilots use to operate the Predator and Raptor drones in the fleet in missions- Logged pilots’ every keystroke as they remotely flew missions over Afghanistan and other warzonesA fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; These drones have killed more than 2,000 suspected militants and civilians according to the Washington PostThere are more than 150 additional Predator and Reaper drones, under U.S. Air Force control, that watch over the fighting in Afghanistan and IraqAmerican military drones struck 92 times in Libya between mid-April and late AugustBut despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered days of the drone footage on the laptops of Iraqi insurgents.A $26 piece of software allowed the militants to capture the videoVirus kept reinfecting systemsEstimated that 1/3 of the drone fleet had malwareOMG - “After repeated attempts to remove the malware, the technicians used a tool to completely erase and rebuild the systems from scratch. We keep wiping it off, and it keeps coming back,&quot; a source told Wired.Also in 2012, demonstration showed that pacemakers could be infiltrated to deliver deadly shocksA series of 830-volt shocks could be sent to a remote pacemakerResearchers could activate all pacemakers and implantable defibrillators within a 30-foot radius to give up their serial numbersAllows a would-be assassin to breach device firmware and upload nefarious malware that could spread to other pacemakers like a virus - NetworkedAlso in 2012, new Smart TV technology was exploited upon launchSmart TVs run AndroidGained access to the device’s built-in camera and microphones remotelyAllows an intruder to watch everything you doIn 2013, authorities have confirmed tor the first time everUsed well known security issues (that have existed for a decade) on online voting systems Hackers attempted and almost succeeded at rigging a Miami primary vote last AugustRequests for over 2,500 phantom absentee ballots flooded the Miami Dade voter registration siteDetected through audit process (People and Process)Symc, rsa, vrsn, and Bit9 were all simple, not advanced and caused collateral damageSne, amzn, appl, yhoo, and lnkd were all simple and exploited basic security controls known for a long time2012 Dept of Energy Hacked- Report published in 2012 by the U.S. China Economic and Security Review Commission- “In 2012, Chinese state-sponsored actors continued to exploit U.S. government, military, industrial, and nongovernmental computer systems,” It’s a continuing storyhttp://securityaffairs.co/wordpress/12188/cyber-crime/us-department-of-energy-hit-by-a-sophisticated-cyber-attack.html
  • #8 Bottom line is that cyber-adversaries are getting increasingly more sophisticated at their targets and attacks. We need to ensure that basic security is done to even begin to deal with advanced offensives.
  • #10 - Cybersecurity was a big issue in the 112th Congress- But there was little progressDemocrats and Republicans deadlocked over whether to give lead authority to the Department of Homeland Security (DHS), a civilian agency, or the National Security Agency (NSA), a military agency. Meanwhile evidence of threats to the nation&apos;s infrastructure increased.
  • #11 http://www.dhs.gov/news/2013/02/13/fact-sheet-executive-order-cybersecurity-presidential-policy-directive-critical
  • #12 The President could have issued this executive order at any time, but chose the State of the Union to emphasize the importance of the issue. Timeline
  • #13 &quot;Critical infrastructure&quot; covers a lot of economic activity One of the 18 critical infrastructure sectors is Information Technology- Threat detection and prevention is key for effective cybersecurity, Presently no clear rules exist about how to collect and share informationBusinesses are concerned about the disclosure of confidential informationGovernments have classified data, and data sharing has privacy implications for Internet usersThe executive order sets out a framework to collect and gather information about cybersecurity where currently none existsThe Commerce Department, a civilian agency, thru NIST leads the Cybersecurity Framework, not NSA- [EPIC] A clear victory for open government and academic freedomPartnerships and mandates – WH is trying to ensure private sector support for better cybersecurity standards without imposing actual requirements To describe cybersecurity policy as &quot;technology neutral&quot; is important to almost all of the players in the cybersecurity debate. The concern is that government will mandate a standard that becomes outdated. On Voluntary - The White House wants to leave no doubt that it is not forcing anyone to do anything. Since 9/11, the US has moved toward risk-based assessments to decide how to allocate security resourcesThis is the reason travelers go through body scanners at airports and not at bus stations. But identifying high-priority critical infrastructure is more difficult. Systems are interconnected. There are multiple operators, some outside the US.
  • #14 This down payment is to begin to mobile people, companies, and the gov’t to actTo secure cyber spaceTo develop how to secure cyber space
  • #15 Cyber security is all about coming to agreement on MANY definitionsWhat is cyber?What does safe mean?Water quality and safety in the US vsMexcioCorrelating infrastructure security of water treatment plantsOne size does not fit allRisk-based security using evidence moves information security and physical security (cyber security) from art to scienceWe need to start with basics (crawl, walk, run methodology)Security is Everyone’s Responsibility. Stop. Think. Connect. (DHS)Discuss Keys to cyberFire is a great example of thisGives everyone a roleFairly clear that it needs to be dealt withMinimum fire safety protocols in placeWho to callYour role and responsibilityRole of companiesAnother example is seat belt safety
  • #16 Everyone with Information Technology is in scope You are CIKRSKIP to NEXT SLIDE – COME BACKThink Security BasicsApply Evidence-based Security ModelStatistics by Sector ExistShould Threat ModelStart by asking does this have a computer inside? Mobile phones countTablets, etc…Does it have an IP?You are accountable in the cyber ecosystem – cyber space.Use Verizon VERIS model to think about What? Who? Why? How? When? Where? You can be attacked.Threat ModelingLook up your industry to assess how your industry is being attacked…We’ll show more in the Evidence section how to look at this
  • #17 All I did was remove the words from page 4, 5, and 6Need to think how you affect the other 17 sectorsThink insulin pump or pace maker examplesSmart TVMust add economic espionage conceptWhat IP do you have that can arm hostile nation states thinking long term ill will towards the US?Counterfeit chips in space, war ships, etc. ?Next gen designs?What happened to Nortel? They no longer exist.
  • #18 You are either part of the solution or part of the problem
  • #19 2 frameworks have emerged as the most relevant to Cyber Security:1- the standards often used by Federal agencies to meet the Federal Information Security Management Act (FISMA) of 2002 requirements that havebeen developed by NIST (11 yrs old) and2- the standards developed internationally that are published by ISO/IEC and adopted by many global commercial organizations in the ISO/IEC 27000 series (BS 7799 1995 and 18 yrs old).Both of these standards provide a general framework for managing IT securityISO/IEC 27001 standard focuses on making sure that an organization has a management system that is capable of managing informationSecurityStandards included in the ISO/IEC 27000 family include:⚫ ISO/IEC 27000 Fundamentals and principles⚫ ISO/IEC 27001 ISMS requirements⚫ ISO/IEC 27002 Security controls (Code of Practice for Information Security Management)⚫ ISO/IEC 27003 ISMS implementation guidance⚫ ISO/IEC 27004 Information security management metrics and measurements⚫ ISO/IEC 27005 ISMS risk managementFISMA standards include a risk assessment methodology (Special Publication 199) a detailed controls list (SP 800-53), and has Objective assessment criteria (SP 800-53A)The focus of the framework is on the Information Technology systems, and On their certification and accreditation to operate.Other standards such as the Payment Card Industry Data Security Standard (PCI DSS) focus on particular information assets (credit card security) So in practice must be integrated with another general frameworks in order to meet the real-world requirements of an organization needing to protect ALL of their assetsBest put:ISO 270001 and FISM – Ensures you’re secureITIL – Ensures you’re operating efficientlyCOBIT – Ensures you’re aligned with your businessCOBIT 5 also recently releasedEvaluate, Direct, and Monitor: ISO/IEC 38500 &amp; ISO 31000Align, Plan, and Organize: TOGAF, Prince2, and CMMIISO/IEC 2700 – Straddles:Align, Plan, and Organize Build, Acquire, and ImplementMonitor, Evaluate, and AssessBuild, Acquire, and Implement: ITIL v3We have struggled as an industry to set standardsWe have standards for each vertical right nowWe built one for cloud at CSA using common controls from HITRUST for multi-tenant cloud service providersAs mentioned earlier, Cyber for most sectors right now is about the basicsEach sector needs to figure this out and work with their Sector Specific Agency (SSA) and NIST to come up with their basics
  • #20 We have developed the myth that technology can be an effective fortress – we can have securityPeople, Process, and TechnologyIn that order…Some basics – Slide speaks for itself…A new of defending
  • #21 Same issues highlighted in 2 different reports.FundingCultureLegacy technology/deploymentsBudget (funding again)Lack of SkillsWe need to expect more from our ecosystem1- Ourselves2- VendorsGlasshouses?We need to understand our limitations-Technology is ahead of SecurityWe live in a Information Technology ecosystemSecurity is Everyone’s Responsibility.
  • #22 The game has changed as well with AVWith CloudWith Mobile – BYODBasics firstAddress evolution next Again, Tech is ahead of SecurityWe’ll deal with advanced NEXTCrawl, Walk, and then RunThe next iteration of our security is to apply evidence that we have.Industry security evidence exists, but mostly ignored.We need to use this evidence to better:invest in basicsFocus on the most critical data and ensure resilience By sectorBy attacker
  • #23 Isn’t it spooky that the same old information keeps cropping up everywhere?The Moneysec approach says to look at the correlations.Notable bias in AV vendor reportsNotable bias in security service provider reportsTraining company bias towards training or their philosophy…Mandiant reports bias towards APT/Nation State attackersVZ DBIR and TW GSR bias towards credit card and PIIPrivacy Rights Clearing House towards privacyAnd so on…But these reports, stitched together alaMoneysec tell us some thingsAnd there’s a wealth of information out thereThis is our BIG DATA I’m waiting for it to be holistically analyzed- I’m an amatuer- Bias extractedVendors need to fix their bias…come onThis is how we will identify trends in the futureBe more nimble as defendersWe need to apply what we’re learning as an overlay to basics that are WORKING
  • #24 Now that we have this data.Need to prioritize what needs to be secured firstRisk Management gives this to us.There’s a lot of define and come to agreement on when it comes to risk managementPCIS – Sector meetingDefined risk as consequence (as impact only) by $$$NO!!!Basic definitionRisk = Probability x ImpactFactor Analysis of Information Risk (FAIR)Risk = The probable frequency and probable magnitude of future lossFAIR provides a reasoned and logical framework for answering these questions:‣ A taxonomy of the factors that make up information risk. This taxonomy provides a foundational understanding of information risk, without which we couldn’t reasonably do the rest. It also provides a set of standard definitions for our terms.‣ A method for measuring the factors that drive information risk, including threat event frequency, vulnerability, and loss.‣ A computational engine that derives risk by mathematically simulating the relationships between the measured factors.‣ A simulation model that allows us to apply the taxonomy, measurement method, and computational engine to build and analyze risk scenarios of virtually any size or complexity.All of this is used to make informed decisions and act accordinglyAll of this is subject to error, but it’s informed.
  • #25 Moneysec ideas borrowed from:Jared Pfost, Chief Executive Officer, Third DefenseBrian Keefer, Security Architect, Leading SaaS Security CompanyWhat are your measures of success?
  • #26 Median time an attacker was present on a victim network is 243 days Down from 416 days in 2011- Worse case, it took 4 years and 10 months to detect APTNot goodOnly 1/3 detected their compromise2/3 were told by an external entity (LEA or service provider)Not goodWhere Information Sharing may be beneficialThe bad guys share… Why don’t we?Industries being TargetedYour network is only as secure as your outsourced service provider.Make sure your organization understands the security posture of these providers, and apply as stringent policies to their access as you would to your own employees. Once a target always a target
  • #27 Information about your networks, systems, and organization provide a road map for attackers to quickly find what they are searching for. Apply the appropriate data classifications to such information and secure it accordingly. Attackers with an objective of economic espionage have specific goalsand will return until their mission is complete. Treat incident detection and response as a consistent business process — not just something you do reactively. Constant vigilance and rapid response is necessary to keep an organization secure. Exploiting Web servers used to be indicative of crimes of opportunity rather than targeted, pre-meditated attacks. However, in 2012, Mandiant witnessed compromised Web servers being used as an initial means of access to conduct economic espionage6.5 Terabytes was stolen from a single organizationRemember the bias is nation states, APT, and cybercrime for Mandiant reportsConducting economic espionageStealing IPDisrupting and intercepting services
  • #28 VZ DBIR bias is towards PCI / credit cards and Cyber crimecorporate and SMB attacks
  • #33 Over $13 Billion Spent on PersonnelThe most revealing figure to come out of the report is the increase in personnel expenses. Of the $14.6 billion spent on cybersecurity in 2012 a whopping 90% went to personnel, an increase from 76% in 2011. Although IT security software and hardware is growing more sophisticated and automated, it only accounted for 5% of spending. Cybersecurity Education DownCyber protection is a bottom up process now. It’s been A Challenging YearThe top reported cybersecurity challenges were:- Funding the administration’s priority initiatives- Cultural challenges- Upgrading legacy technology- The current budget structure- Acquiring skilled personnel Top Three Government Cybersecurity Spenders in 2012 were:- Department of Defense: $12 billion- Department of Homeland Security: $615.5 million- Treasury Department: $404 million Security Incidents on the Rise49,000 security incidents were reported in 2012, Up from 43,889 in 2011. Majority of incidents were the result of lost or stolen equipment and data, not unauthorized access
  • #34 Ponemon and CSO Studies show trends.We also saw these results in the Mandiant reportWe’ve heard these words with the DoE compromiseWe’ve seen that SMBs are being heavily targeted right now
  • #35 We see trends in the Trustwave GSR, Mandiant Threat Report, and VZ DBIRVZ’s Vocabulary for Event Recording and Incident Sharing (VERIS) is a way to tie incident sharing and event recording togetherWe all need to adopt it or parts of itWe need to figure out how/if to make it light weight to follow itWe need to use public sources:DatalossDB.orgPrivacy Rights ClearinghouseThe Security IndexAll of these reports…Do we have anything else?
  • #36 We also need to leverage forms of threat modeling that allowsOffense to Inform Defense how to better secure -- The Cyber Kill ChainJust one mitigation disrupts the chain and the adversary
  • #37 Moving response and countermeasures to earlier phases of the kill chain is essential in defending today’s networks
  • #38 Some trends that I’ve seen…Phishing and EmailExploitable Links and BrowsersJava, Flash, PDF, MS OfficeA/V CoverageAndroid, iOS, Windows, and MacOSAir Gaps and Removable MediaEndpoint SecuritySecurity AwarenessSecurity BasicsWe’re back here
  • #39 Take our timeDo this right
  • #40 I’m my father’s son…It’s our time.We need thisThis is what winning looks and feels like